Crime and corruption in the 4th industrial revolution

March 2017 | EXPERT BRIEFING | FRAUD & CORRUPTION

financierworldwide.com

The first Industrial Revolution used water and steam power to mechanise production; the second used electric power, resulting in a vast industrial sector and the third saw the beginnings of electronics and information technology to automate production. We now have entered the fourth Industrial Revolution which is the fusion of technologies which is blurring the lines between the physical, digital and biological spheres.

With these advances comes the need to recognise that the way we have done things in the past is no longer acceptable. For a company, a government, a law enforcement agency, a regulatory agency, an academic institution or individual to embrace the future, there is a collective need to have the courage to change our past approaches.

The Association of Certified Financial Crime Specialists (ACFCS) was the first association to advocate for organisations to adopt an enterprise-wide risk approach for the purposes of financial crime compliance, including anti-money laundering (AML), fraud, corruption and cyber security, and to adapt from the past practice of focusing on each individual risk as independent silos. Over the past year we have seen companies continue to be exposed to massive regulatory penalties; this clearly demonstrates that a siloed approach creates an added expense to an organisation’s efficiency. Efficiencies are lost as each group creates its own risk strategy, and this disparate relationship between risk groups results in a failure to adopt a strategy that correlates all enterprise risk exposure points.

Typically, in recent years when federal regulators talked about creating an enterprise-wide financial crime compliance programme, and related risk assessment and suspicious activity monitoring and reporting systems, they were referring to a function that had coverage, depth, expertise, resources, coordination, communication and interconnectedness across physical borders. It was only in 2016 that top regulatory and government agencies began to embrace and extol the virtues of compliance convergence, extending the concept of interwoven, innovative and agile compliance personnel to include AML, fraud and cyber security professionals – a validation of the ACFCS core mantra and mission since its inception.

This siloed and divided approach to financial crime risk management is fundamentally at odds with an increasingly diverse and rapidly changing risk landscape, one in which cyber crime threats, global corruption and financial secrecy, and insider threats and rapid technological changes, are all posing unprecedented compliance challenges for companies worldwide.

2016 was rife with examples of risk oversights linked to fragmented approaches to financial crime risk management, notwithstanding that some of the companies involved were subject to previous regulatory lapses. 2016 saw Wells Fargo in the news, resulting from the revelation that the company fired 5000 employees after discovering they had opened new customer accounts without customer permission, to meet prohibitive sales targets.

This demonstrates that the profit motive is being placed above ethics. In September, Wells Fargo agreed to pay $185m in fines and refund $2.6m in fees charged to customers. The bank apologised and said it was taking “responsibility for any instances where customers may have received a product that they did not request”.

While the Wells Fargo case resonated most with the public, in February 2016 the company also agreed to pay $1.2bn to settle claims that it made reckless loans leading up to the housing bubble and then illegally claimed certain loans were eligible for a federal insurance programme. This was followed by the Securities and Exchange Commission in March charging the bank with defrauding investors in a municipal bond deal to finance 38 Studios, a Rhode Island start-up video game company founded by former Boston Red Sox and Phillies pitcher Curt Schilling that eventually went bankrupt, leaving the state on the hook for $75m in debt.

We also became aware of the €6.4bn loss at Société Générale which was allegedly the result of several risk oversights, combining a lack of controls on individual traders as well as a failure to implement various checks on the trading systems themselves. Overall, the finding indicated management did not have a sound risk methodology.

In December, US-based Credit Suisse Securities LLC agreed to pay $16.5m to the Financial Industry Regulatory Authority for AML violations involving microcap stock transactions. According to FINRA’s action, Credit Suisse’s suspicious activity monitoring programme was deficient as the institution primarily relied on its registered representatives to identify and escalate potentially suspicious trading, including in microcap stock transactions, but “high-risk activity was not always escalated and investigated as required”.

These examples highlight the fact that major risk events are not the result of one risk. The regulatory findings have demonstrated over and over again that institutions have a large number of risk exposure points crossing various functional lines. For this reason, companies need to adopt an enterprise-wide risk programme and adopt a holistic approach to financial crime compliance. The days of focusing solely on placement, layering and integration, the standard money laundering approach, and attempting to analyse red flags tied to suspicious activity without uncovering the broader criminal and cyber contexts, have long surpassed us. Jon Elvin, anti-money laundering officer with PNC, believes that establishing this enterprise-wide view of risk should form the basis of any AML programme. “You must look at your cross-channel exposure,” he says. “From a risk perspective, particularly when related to fraud or an AML event, you either have dollar loss or reputational loss – sometimes both. An organisation’s ability to understand what its exposure is early on is challenging for financial institutions. But the ability to understand this exposure quickly helps them prepare a response to deal with it from the internal, external and regulatory points of view.” Consequently, companies need to better coordinate their risk management functions and establish consistent risk reporting mechanisms across their organisations.

What can be said is that regulators want firms to concentrate on the methodology used to arrive at their risk assessments and to ensure that the risk management process can be evidenced to be effective and value-added. To achieve this in today’s environment, organisations need to embrace technology in order to ensure they have effectively and efficiently used their Big Data to highlight the real risk exposure of their particular organisation. This must be accomplished holistically from all of the various risk silos.

Failure to embrace change through technology will lead to organisations being subjected to a higher number of criminal attacks and those fusillades will be more damaging. It is a given that organised crime and rogue states are far more adaptive and embrace technology in order to benefit their criminal aims.

And one of the riskiest attack vectors is a fusion of classic criminal smash-and-grab tactics, but with a virtual twist – the attack comes not through the front door in a blaze of glory, but from the virtual world at the touch of a button, a keystone uncovered with a keystroke.

The future also dictates that organisations continuing to rely on separate legacy systems are opening themselves to increased cyber attacks. These systems do not come close to meeting current standards and fall far short of the newer, cutting edge artificial intelligence software systems some banks are employing to make better use of transaction data, lower alert volumes and bring them more in line with human resources and the related analysis to create the foundation of a criminal investigation. Many compliance officers and senior managers recognise that current systems create weaknesses, but this recognition has failed to be translated into change within many organisations. Regardless, in the coming months companies will be forced to either design their own all-encompassing system or to acquire a system that supports enterprise risk processes and reporting, a programme encompassing AML, cyber security and better monitoring of insider and customer activities, while ensuring the needs of risk groups are addressed and compliance goals are achieved.

The same can be said for internal and external auditors. We have been witness to many large forensic audit companies being singled out for not providing the expected oversight during their annual audits. Current technology involving artificial intelligence should enable the auditing profession to capitalise and improve so that past identified lapses do not occur in the future. Through the use of automated systems, auditors should be able to appropriately identify the organisational risks resulting in more informed decisions along with ensuring transparent and accurate reporting.

Although many organisations have yet to readily accept it, artificial intelligence has become part of our daily lives over the past year. The uses range from consumer-facing applications like self-driving cars, robotic vacuums and drones, to transaction monitoring software that not only adapts to a particular organisation, but serves to identify transactional risks using Big Data. We continue to see exponential increases in computing power, thereby enabling software to conduct detailed analysis on mega data through the use of defined algorithms. We have seen IBM’s Watson outperform humans on Jeopardy which serves to show that we may be nearing what practitioners call the ‘point of singularity’ wherein the computer has reached the current capacity of the human brain. The future means that computers will soon be teaching us and these abilities will be capitalised on by the criminal element.

Already, technological advances have been harnessed by threat actors in the booming cyber crime industry to great effect. It has been estimated that the annual cost to the global economy from cyber crime is more than $400bn, a figure that most analysts expect to increase in coming years. Clearly cyber crime can still be considered a growth industry, with the criminal element long recognising that they can achieve great returns with limited risk.

Despite increased awareness and spending on cyber defences among most companies, the human element still remains a key weak point in security. Over the last few years, we have seen the emergence of two of the most common cyber attacks that cyber criminals have adopted – social engineering and vulnerability exploitation. In the case of social engineering, the cyber criminal manipulates targets into providing sensitive information or otherwise taking steps that grant attackers access to an individual’s or an institution’s computer systems. Vulnerability exploitation involves the use of system weaknesses, including using backdoors found among suppliers or clients.

Experience has shown that the rate of return on cyber crime favours criminals, resulting in an exponential expansion. It is the profit motive which leads to wealthier countries continuing to witness criminal activities from countries such as Nigeria, some Eastern bloc nations and, most recently, Jamaica. Third world country criminal groups are achieving great wealth notwithstanding the fact that targeting is based on mass marketing attacks that defraud individuals of relatively small amounts in most cases. There are, however, examples of individuals falling victim to large scale fraud. The elderly and those deemed most vulnerable are often targeted.

The reality is that the response to cyber crime is a business decision. Companies and individuals make decisions on how to manage the potential for loss from cyber crime by deciding how much risk they are willing to accept and how much they are willing to spend to reduce that risk. The problem is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk.

Arguably, companies and governments, regardless of their professed diligence relative to cyber crime controls, will continue to be at risk of fraud and corruption due to their slowness to adapt and embrace what new technologies offer. For most, they still base their decisions whether to invest in technology on risk exposure and their willingness to sustain some level of loss. This is especially true for law firms.

Law firms are often the slowest to accept their vulnerability relative to being targeted. In

December, law firms should have taken notice of the hack perpetrated by three Chinese traders, who earned more than $4m in illegal profits after they hacked into the computer systems of prominent US law firms and stole non-public information on mergers and acquisitions. Law firms need to be far more proactive and become cyber savvy, but for the most part this fell on deaf ears.

At the end of the day, what this means is that companies, organisations and governments that fail to adequately protect their networks will be at an increasing competitive disadvantage. We have technology that is available now to help thwart the advances of cyber criminals and therefore, as part of a regulatory framework, it is time governments set expected standards and mandated best practices for cyber defences.

At times, decision makers in the both the private and public sectors have been slow to react to the present reality of a rapidly evolving risk landscape. As Professor Klaus Schwab, founder and executive chairman of the World Economic Forum, said, “The changes are so profound that, from the perspective of human history, there has never been a time of greater promise or potential peril. My concern, however, is that decision makers are too often caught in traditional, linear (and non-disruptive) thinking or too absorbed by immediate concerns to think strategically about the forces of disruption and innovation shaping our future. In order to thrive, business leaders will have to actively work to expand their thinking away from what has been traditionally done, and include ideas and systems that may never have been considered. Business leaders must begin questioning everything, from rethinking their strategies and business models, to discovering the right investments in training and potentially disruptive R&D investments”.

Events of the past year have also cast a harsh light on the prevalence and persistence of two other interwoven financial crime issues – corruption of high-level public officials, and the global industry of service providers offering financial secrecy that allows it to thrive. In 2016 there was a bombardment of global corruption being highlighted.

In 2016 Transparency International (TI) developed a new term for corruption by heads of state and powerful people – grand corruption. Grand corruption was defined by TI as “the abuse of high-level power that benefits the few at the expense of the many and causes serious and widespread harm to individuals and society. It often goes unpunished.”

The reality is that we still see various levels of corruption. We continually read about politicians at all levels being corrupted and when reviewing each case, it all comes down to greed trumping ethics.

Two recent grand corruption cases highlighted by TI included the former president of Panama, Riccardo Martinelli, who fled the country because of corruption charges after TI pressured the Panamanian government to investigate alleged corruption during his administration, and the former president of Ukraine, Viktor Yanukovych, who allegedly fled his country after being accused of stealing more than $7.5bn from the Ukrainian people.

We have witnessed through the release of the Panama Papers and more astonishingly through a Global Witness undercover probe, the ease of concealment and collaboration available from law firms and legal professionals. In the case of the Global Witness probe, the non-profit group hired an actor allegedly representing a public official of an African nation, who was seeking assistance from New York lawyers and law firms to move funds into the US. After visiting with several prominent attorneys, the Global Witness findings were: (i) lawyers from 12 of the 13 firms visited suggested using anonymous companies or trusts to hide the minister’s assets. All but one of these firms recommended using American companies; (ii) one of the lawyers who provided suggestions on how to move the funds was James Silkenat, the president of the American Bar Association at the time; (iii) several lawyers suggested using their law firms’ own bank accounts to help prevent US banks realising whose money it really was, or to have the lawyer act as a trustee of an offshore trust and use this position to open a bank account; and (iv) while most of the lawyers asked for some information about the minister, and his source of funds, only one lawyer refused to provide assistance during the meeting itself.

There is an argument to be made that lawyers in North America should be brought into the money laundering reporting requirements. While the solicitor/client privilege is sacrosanct, when lawyers act in a financial advisory capacity or real estate agent capacity, they need to be held to the same standard as the rest of the financial community.

The need for this approach has again been highlighted in December when it was revealed that global investigators believe billions of dollars were misappropriated from 1Malaysia Development Bhd., a state-owned economic development fund set up by Malaysian prime minister Najib Razak in 2009. The money allegedly moved through Singapore, Switzerland and other wealth centres before being used to buy real estate, art and other assets in New York, Beverly Hills and elsewhere.

This December, the Wall Street Journal published a compelling and supportive report demonstrating why law firms should not be immune from regulatory scrutiny: “Tens of billions of dollars every year move through opaque law-firm bank accounts that create a gap in US money-laundering defences, according to a Wall Street Journal analysis. These accounts were used by suspects in a multibillion-dollar scandal involving a Malaysian state investment fund known as 1MDB, according to a Justice Department description of events. They also played a part in a Florida Ponzi scheme, in a case related to an official of Equatorial Guinea and in a dozen other US money-laundering cases over the past decade, case records show. While banks and other firms that move money across borders face heavy pressure to alert regulators to suspicious activity, US law firms protect the confidentiality of their pooled accounts in the name of attorney-client privilege.”

Therefore, based on what we have witnessed and where we stand from a technology point of view there are a number of things we can we expect to see in the coming years. First, we will continue to be exposed to mobile ransomware attacks that steal cloud accounts and encrypt the data requiring the ransom to be paid before gaining back control of data. Furthermore, with more and more mobile financial transactions, and the fact many users and institutions have not mandated effective security controls, we will see an uptick in cyber attacks focused in this arena. 2017 will be the year that fraud goes mobile. Apple Pay has now joined Android along with many other FinTech firms jumping in the mobile payment space, and near-field communications technology is becoming mainstream. Cyber criminals are following.

We will continue to see either rogue states or major criminal enterprises launching large scale denial of service attacks and launching major viruses, such as malware, given that society is moving quickly toward the Internet of Things without the necessary security platforms.

With better technology, criminals will also be able to launch greater point of sale attacks (POS) resulting in greater data losses than we have previously seen. Cyber security insurance will need to be factored in to all future costs.

In 2017, organisations will likely recognise that they may not be able to handle their cyber security needs internally. We will also begin to see how technological innovation will lead to long-term gains in efficiency and productivity. Transportation and communication costs may be reduced as logistics and global supply chains become more effective, and the cost of trades diminishes. All of this will open new markets and drive economic growth.

2017 will continue to challenge how technology impacts individual privacy, notwithstanding that new technologies rely on information gleaned from users.

Furthermore, there will be greater pressure exerted on the governments of Canada and the US from the Financial Action Task Force and TI to require lawyers and law firms to be brought in under proceeds of crime and money laundering controls.

Boards and chief compliance officers will be exposed to more scrutiny when major regulatory lapses are exposed, inclusive of a need to ensure that the right skills are available to effect good oversight. Beneficial ownership requirements will also be entrenched.

Finally, there will be a greater requirement for institutions to adopt a holistic compliance approach to financial crime controls, inclusive of cyber crime.

Garry Clement is a former senior adviser to the Association of Certified Financial Crime Specialists. He can be contacted on +1 (905) 355 1066 or by email: gclement@clementadvisorygroup.ca.